Setup

This wiki page is outdated, please see GH repository to have up to date configuration file: ungarscool1/dn42

In this article, there are everything to setup and configure a new AS in DN42.


Contents


I. Setup peering


II. Setup Wireguard network interface


III. Setup BGP using Bird


IV. Configure DNS


V. It’s done


Setup peering


Afin de s'inter-connecter à un autre AS DN42, nous allons avoir besoin de wireguard et de la commande ip.


Dans ce wiki, nous nous connectons à la pair Kioubit. Cette pair fonctionne sur un principe d'auto-peering, c'est-à-dire que vous avez le profile wireguard dès le début puis vous avez juste à setup le BGP.


Config wireguard:


[Interface]
PrivateKey = <Votre clé privée>
ListenPort = 51820

[Peer]
PublicKey = <"Kioubit's Side" Wireguard Public Key>
Endpoint = fr1.g-load.eu:23706

AllowedIPs = 0.0.0.0/0,::/0

PersistentKeepalive = 20


Setup de l'interface réseau (Wireguard)


  1. sudo ip link add dev wg0 type wireguard

  2. sudo sudo ip addr add <Your side Tunnel IPV4>/32 peer <Kioubit's Side Tunnel IPV4>/32 dev wg0

  3. sudo ip addr add <Your side Tunnel IPV6>/64 dev wg0

  4. sudo wg setconf wg0 /etc/wireguard/wg0.conf

  5. sudo ip link set wg0 up


Setup de l'interface réseau (lo aka. loopback)


  1. sudo ip addr add <Your AS primary ip4 in block (here "172.20.183.41")> dev lo

  2. sudo ip -6 addr add <Your AS primary ip6 in block (here "fd92:3823:80fd:d300::2/64")> dev lo


Setup le BGP avec Bird


Après avoir mis en place le tunnel de peering il faut maintenant annoncer nos blocks d'IP. Pour ce faire nous allons utiliser le logiciel bird. Pourquoi ? Parce que j'ai copier coller la config sur le wiki de dn42 👉👈.


/etc/bird/bird.conf:


# Device status

protocol device {
  scan time 10; # recheck every 10 seconds
}

\
protocol static {
  # Static routes to announce your own range(s) in dn42
  route <Votre block d'ipv4> reject;
  import all;
  export none;
};

\
# local configuration
######################

\
# keeping router specific in a seperate file,
# so this configuration can be reused on multiple routers in your network

include "/etc/bird/local4.conf";

\
# filter helpers
#################

\
include "/etc/bird/filter4.conf";

\
# Kernel routing tables
########################

\
/*
    krt_prefsrc defines the source address for outgoing connections.
    On Linux, this causes the "src" attribute of a route to be set.

\
    Without this option outgoing connections would use the peering IP which
    would cause packet loss if some peering disconnects but the interface
    is still available. (The route would still exist and thus route through
    the TUN/TAP interface but the VPN daemon would simply drop the packet.)
*/
protocol kernel {
  scan time 20;
  import none;
  export filter {
    if source = RTS_STATIC then reject;
    krt_prefsrc = OWNIP;
    accept;
  };
};
# DN42
#######

\
template bgp dnpeers {
  local as OWNAS;
  # metric is the number of hops between us and the peer
  path metric 1;
  # this lines allows debugging filter rules
  # filtered routes can be looked up in birdc using the "show route filtered" command
  import keep filtered;
  import filter {
    # accept every subnet, except our own advertised subnet
    # filtering is important, because some guys try to advertise routes like 0.0.0.0
    if is_valid_network() && !is_self_net() then {
      accept;
    }
    reject;
  };
  export filter {
    # here we export the whole net
    if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
      accept;
    }
    reject;
  };
  import limit 1000 action block;
  #source address OWNIP;
};

\
include "/etc/bird/peers4/*";


/etc/bird/bird6.conf:


#/etc/bird/bird6.conf

protocol device {
  scan time 10;
}

\
# local configuration
######################

\
include "/etc/bird/local6.conf";

\
# filter helpers
#################

\
include "/etc/bird/filter6.conf";

\
# Kernel routing tables
########################

\
/*
    krt_prefsrc defines the source address for outgoing connections.
    On Linux, this causes the "src" attribute of a route to be set.

\
    Without this option outgoing connections would use the peering IP which
    would cause packet loss if some peering disconnects but the interface
    is still available. (The route would still exist and thus route through
    the TUN/TAP interface but the VPN daemon would simply drop the packet.)
*/
protocol kernel {
  scan time 20;
  import none;
  export filter {
    if source = RTS_STATIC then reject;
    krt_prefsrc = OWNIP;
    accept;
  };
}

\
# static routes
################

\
protocol static {
  route <Votre block d'ipv6> reject;
  import all;
  export none;
}

\
template bgp dnpeers {
  local as OWNAS;
  path metric 1;
  import keep filtered;
  import filter {
    if is_valid_network() && !is_self_net() then {
      accept;
    }
    reject;
  };
  export filter {
    if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
      accept;
    }
    reject;
  };
  import limit 1000 action block;
}

\
include "/etc/bird/peers6/*";


/etc/bird/local4.conf:


# should be a unique identifier, <GATEWAY_IP> is what most people use.
router id <Votre première IP, celle de GATEWAY>;

\
define OWNAS = <Votre numéro AS>;
define OWNIP = <Votre première IP, celle de GATEWAY>;

\
function is_self_net() {
  return net ~ [<Votre block d'IPv4>+];
}

\
function is_valid_network() {
  return net ~ [
    172.20.0.0/14{21,29}, # dn42
    172.20.0.0/24{28,32}, # dn42 Anycast
    172.21.0.0/24{28,32}, # dn42 Anycast
    172.22.0.0/24{28,32}, # dn42 Anycast
    172.23.0.0/24{28,32}, # dn42 Anycast
    172.31.0.0/16+,       # ChaosVPN
    10.100.0.0/14+,       # ChaosVPN
    10.127.0.0/16{16,32}, # neonetwork
    10.0.0.0/8{15,24}     # Freifunk.net
  ];
}


/etc/bird/local6.conf:


# should be a unique identifier, use same id as for ipv4

router id <Votre première IPv4, celle de GATEWAY>;

\
define OWNAS =  <Votre numéro AS>;
define OWNIP = <Votre première IPv6, celle de GATEWAY>;

\
function is_self_net() {
  return net ~ [<Votre block d'IPv6>+];
}

\
function is_valid_network() {
  return net ~ [
    fd00::/8{44,64} # ULA address space as per RFC 4193
  ];
}


/etc/bird/filter4.conf:


roa table dn42_roa {
    include "/var/lib/bird/bird_roa_dn42.conf";
};
filter dn42_ipv4 {
   if roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID then {
       print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
       reject;
   }
}


/etc/bird/filter6.conf:


roa table dn42_roa {
    include "/var/lib/bird/bird6_roa_dn42.conf";
};
filter dn42_ipv6 {
   if roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID then {
       print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
       reject;
   }
}


/etc/bird/peers4/<le nom de votre pair>:


protocol bgp <Le nom de votre pair> from dnpeers {
  neighbor <IP Tunnel IPv4 pair> as <Numéro AS de votre pair>;
  export all;
};


/etc/bird/peers6/<le nom de votre pair>:


protocol bgp <Le nom de votre pair> from dnpeers {
  #neighbor fe80::ade0 as 4242423914;
  # if you use link-local ipv6 addresses for peering using the following
  neighbor <IP Tunnel IPv6 pair> % 'wg0' as <Numéro AS de votre pair>;
};


Après n'oubliez pas de faire:



sudo systemctl restart bird

sudo birdc configure && sudo birdc6 configure


Les DNS


Pour se connecter à internet, nous avons besoin de dns.


  1. sudo apt install dnsmasq


Dans le fichier /etc/dnsmasq.d/dn42.conf, mettez:



no-resolv

server=1.1.1.1

server=/dn42/172.20.0.53

server=/20.172.in-addr.arpa/172.20.0.53

server=/21.172.in-addr.arpa/172.20.0.53

server=/22.172.in-addr.arpa/172.20.0.53

server=/23.172.in-addr.arpa/172.20.0.53

server=/d.f.ip6.arpa/fd42:d42:d42:54::1


Désactivez le service systemd-resolved, puis éditez le fichier /etc/resolv.conf et faite en sorte que le nameserver soit votre propre serveur.


Dernière étape


Afin d'essayer votre configuration et surtout afin de savoir si elle fonctionne, vous pouvez ping les IPs de ce site. Si vous avez une réponse, 🎉.